Re: How do I add users using Python scripts on a Linux machine :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming

MyASPN >> Mail Archive >> python-list

python-list

Re: How do I add users using Python scripts on a Linux machine
by Lawrence D'Oliveiro other posts by this author
Jan 4 2007 10:51PM messages near this date

Re: How do I add users using Python scripts on a Linux machine | Re: How do I add users using Python scripts on a Linux machine

In message <m2hcv651ta.fsf@[...].nl> , Piet van Oostrum wrote:

>  The scenario is as follows: Suppose the script starts with the line:
>  #!/usr/bin/python
>  
>  (using #!/usr/bin/env python would be disastrous because the user could
>  supply his own `python interpreter' in his PATH.)
>  
>  Now a malicious user can make a link to this file in his own directory,
>  e.g. to /Users/eve/myscript1. Because permissions are part of the file
>  (inode), not of the file name, this one is also suid.
>  
>  Now she execs /Users/eve/myscript1. The kernel, when honoring suid
>  scripts, would startup python with effective uid root with the command
>  line: /usr/bin/env /Users/eve/myscript1

No it wouldn't. This security hole was fixed years ago.

-- 
http://mail.python.org/mailman/listinfo/python-list

Thread:

Piet van Oostrum

Lawrence D'Oliveiro

Piet van Oostrum

Lawrence D'Oliveiro

Piet van Oostrum

Garylinux@Gmail.Com

Sebastian 'lunar' Wiesner

Ivan Voras

Sebastian 'lunar' Wiesner

Tim Roberts